From 69fbbdc19dd58c8a1a4786accf48c623afe2bfe4 Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Fri, 7 Aug 2009 23:32:01 -0300 Subject: [PATCH] Bug#45010: invalid memory reads during parsing some strange statements The problem is that the lexer could inadvertently skip over the end of a query being parsed if it encountered a malformed multibyte character. A specially crated query string could cause the lexer to jump up to six bytes past the end of the query buffer. Another problem was that the laxer could use unfiltered user input as a signed array index for the parser maps (having upper and lower bounds 0 and 256 respectively). The solution is to ensure that the lexer only skips over well-formed multibyte characters and that the index value of the parser maps is always a unsigned value. --- mysql-test/r/ctype_recoding.result | 2 +- sql/sql_lex.cc | 16 ++++++++------- tests/mysql_client_test.c | 33 ++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/mysql-test/r/ctype_recoding.result b/mysql-test/r/ctype_recoding.result index 3f8ab75957b..4d7d33933cf 100644 --- a/mysql-test/r/ctype_recoding.result +++ b/mysql-test/r/ctype_recoding.result @@ -165,7 +165,7 @@ CREATE TABLE `good ERROR HY000: Invalid utf8 character string: 'ÐÌÏÈÏ' SET NAMES utf8; CREATE TABLE `goodÐÌÏÈÏ` (a int); -ERROR HY000: Invalid utf8 character string: 'ÐÌÏÈÏ` (a int)' +ERROR HY000: Invalid utf8 character string: 'ÐÌÏÈÏ' set names latin1; create table t1 (a char(10) character set koi8r, b text character set koi8r); insert into t1 values ('test','test'); diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index 061a20679e7..b0b4256184c 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -32,10 +32,10 @@ sys_var_long_ptr trg_new_row_fake_var(0, 0); /* Macros to look like lex */ -#define yyGet() *(lip->ptr++) -#define yyGetLast() lip->ptr[-1] -#define yyPeek() lip->ptr[0] -#define yyPeek2() lip->ptr[1] +#define yyGet() ((uchar)*(lip->ptr++)) +#define yyGetLast() ((uchar)lip->ptr[-1]) +#define yyPeek() ((uchar)lip->ptr[0]) +#define yyPeek2() ((uchar)lip->ptr[1]) #define yyUnget() lip->ptr-- #define yySkip() lip->ptr++ #define yyLength() ((uint) (lip->ptr - lip->tok_start)-1) @@ -813,9 +813,11 @@ int MYSQLlex(void *arg, void *yythd) } } #ifdef USE_MB - else if (var_length < 1) - break; // Error - lip->ptr+= var_length-1; + else if (use_mb(cs)) + { + if ((var_length= my_ismbchar(cs, lip->ptr-1, lip->end_of_query))) + lip->ptr+= var_length-1; + } #endif } if (double_quotes) diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 040ef4d050d..63137bdba93 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16647,6 +16647,38 @@ static void test_bug41078(void) DBUG_VOID_RETURN; } + +/** + Bug#45010: invalid memory reads during parsing some strange statements +*/ + +static void test_bug45010() +{ + int rc; + const char query1[]= "select a.\x80", + query2[]= "describe `table\xef"; + + DBUG_ENTER("test_bug45010"); + myheader("test_bug45010"); + + rc= mysql_query(mysql, "set names utf8"); + myquery(rc); + + /* \x80 (-128) could be used as a index of ident_map. */ + rc= mysql_real_query(mysql, query1, sizeof(query1) - 1); + DIE_UNLESS(rc); + + /* \xef (-17) could be used to skip 3 bytes past the buffer end. */ + rc= mysql_real_query(mysql, query2, sizeof(query2) - 1); + DIE_UNLESS(rc); + + rc= mysql_query(mysql, "set names default"); + myquery(rc); + + DBUG_VOID_RETURN; +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16949,6 +16981,7 @@ static struct my_tests_st my_tests[]= { #endif { "test_bug41078", test_bug41078 }, { "test_bug20023", test_bug20023 }, + { "test_bug45010", test_bug45010 }, { 0, 0 } };